<<< Date Index >>>     <<< Thread Index >>>

Re: Re: Re: Re: SMF "index.php?action=pm" Cross Site-Scripting



Any way, this vulnerability is not dangerous.. because for sending a successful 
PM request, you need to match the "sid" variable, that is impossible to get 
unless you already have control of the session.

The correct patch must be added in the theme file 
"PersonalMessage.template.php" at the begining of the code:
$context["to"]=htmlentities($context["to"]);
$context["bcc"]=htmlentities($context["bcc"]);

Greetz!!